But (and this is my fault, I did only ask for 10 minutes) I should have spent some time to talk about the "why"

Why do we need this? What problem does this solve?

Why does John think this is super special?

This is special because, a $Batch connector is a "Send HTTP Request to MS Graph" as me.

It is a wishing wand that grants wishes. Creating MSTeam is a wish. We didn't build a wish. We built a wishing wand. Then we waved it around. MS Teams API currently is delegate permission only, so we call it through a $batch connector.

Planner API is delegate only. Any time you see a delegate permission MSGraph you remember you have a wishing wand.

The Ingredients:

Microsoft Flow and Logic Apps has concept of connectors (these are essentially API definitions) and connections (these are instances of connectors bound to a resource as well as cached automatic authentication)

A Flow is a JSON description of how actions and triggers on the connection are chained together to perform automation.

We do have a general purpose HTTP action, and it works very well for app-only permissions that needs client-id/client-secret or client-cert. But HTTP action is not backed by a connectors framework so it can't remember credentials.

To build a general purpose tool and remember credentials for Microsoft Graph, we have to build a custom connection. This is basically a swagger API file that tells Flow and LogicApps what APIs exist on the resource. In the case of MSGraph, that list is enormous.

The Recipe:

The crazy part though, is MSGraph provides a $batch endpoint, so the recipe for building the magic wand is simply this:

Build a custom connection with one method - $batch - this is a POST

Pre-authenticate it with a delegate permission

Wrap requests (1 or many) as a JSON array and call them via the $batch connection.

We have a magic wand

Where do we go from here?

I demoed this with a Manual button trigger. Jeremy mentioned (in the video) that this can easily be a SharePoint trigger.

This can also be a HTTP Request trigger, turning your Teams Provisioning into one simple HTTP Webservice. You can hook that up to external systems, PowerApp or a bot.

A technical note

Sometimes you discover you need extra permissions on that Azure AD app. We do this by going back to Azure AD portal and add the extra permissions. You can "grant permission" through the AAD portal.

If the cached connection in Flow refuses to work, I find that we may need to right-click on the custom connection and re-authenticate. Sometimes this requires us to switch to a different user then switch back. Because Azure AD dynamic consent is just so hard to do.